Ads / telemetry are disallowed completely, as per our developer policies.
So plugins that have those domains in the code will not be available from the site / app.
We did not implement the crypto part ourselves.
We use the SuptleCrypto Web API implementation and a library called scrypt (this one: https://github.com/ricmoo/scrypt-js).
We also had someone from the EteSync/EteBase project take a look at the code before Obsidian Sync was released.
As others have already pointed out, Sync is not the only option to synchronize notes, Obsidian sync is just a convenience option.
For compliance, I am guessing you mean certs like SOC 2 / ISO 27001?, or what are you referencing?
As we are a tiny company (6 people, not all full time) we just can't expense the time needed to get such a certificate.
We have additional checks that also check the release assets to catch issues in dependencies etc, that part is not public.